(Adding the SELinux back on as a cc) A file_contexts file is created when the policy is built using Refpolicy or CIL. It must be created manually when using checkpolicy on a policy.conf file. Since you are using restorecon, I would guess that there is a file_contexts file in /etc/selinux/targeted/contexts/files/. Jim On Fri, Oct 23, 2020 at 4:14 PM Ian M <merinian@xxxxxxxxx> wrote: > > It answers half my question I think, > > The other half being where is the initial label coming from? As Bill said the cpio does not support xattr so that field is empty on boot and is populated sometime after. > > If I knew when and why that labeling was happening I think I'd be in a good position to move forward with my work. > > Thanks, > > Ian > > On Fri, Oct 23, 2020 at 4:12 PM Ian M <merinian@xxxxxxxxx> wrote: >> >> >> >> On Fri, Oct 23, 2020 at 4:02 PM James Carter <jwcart2@xxxxxxxxx> wrote: >>> >>> Does Bill's response on the SELinux list answer your question? >>> >>> Jim >>> >>> >>> On Fri, Oct 23, 2020 at 2:18 PM Ian M <merinian@xxxxxxxxx> wrote: >>> > >>> > Hi Jim, >>> > >>> > Thanks for your response. >>> > >>> > My confusion surrounds how the filesystem gets its initial labels, they do not seem to be coming from the policy itself. >>> > >>> > e.g. the contents of /bin/ should be labeled bin_t according to the policy, but are root_t at boot. >>> > >>> > The filesystem does support xattrs, but as it is a ramdisk used to boot linux the extended attributes do not survive a reboot. >>> > >>> > Thanks, >>> > >>> > >>> > Ian >>> > >>> > >>> > >>> > >>> > >>> > >>> > On Fri, Oct 23, 2020 at 2:06 PM James Carter <jwcart2@xxxxxxxxx> wrote: >>> >> >>> >> On Fri, Oct 23, 2020 at 12:02 PM Ian M <merinian@xxxxxxxxx> wrote: >>> >> > >>> >> > Hello, >>> >> > >>> >> > I hope this is the right list for this question: >>> >> > >>> >> > I've got an embedded system that uses its initramfs as its root filesystem as well. At boot, after the selinux policy loads, everything on the rootfs is incorrectly labeled as system_u:object_r:root_t. I have temporarily worked around this by adding a restorecon on the rootfs at boot, but since the rootfs is a ramdisk the changes do not survive a system reboot. >>> >> > >>> >> > I may be incorrect, but my understanding (assumption?) is that the labels would be applied when the policy is loaded at boot. So I cannot understand why the labels are always incorrect. >>> >> > >>> >> Filesystem labels are not applied when the policy is labeled. On >>> >> filesystems that support xattrs, a fs_use_xattr rule is used to tell >>> >> SELinux to use the label stored in the security.selinux xattrs, but >>> >> the filesystem will still have to be labeled initially. If the fs does >>> >> not support xattrs and every file can be labeled the same, then a >>> >> genfscon rule can be used. >>> >> >>> >> I am not sure of your exact case, but you can find more information in >>> >> the SELinux Notebook - See >>> >> https://github.com/SELinuxProject/selinux-notebook >>> >> >>> >> Jim >>> >> >>> >> > >>> >> > Thanks, >>> >> > >>> >> > Ian
